Closed
Bug 761863
Opened 13 years ago
Closed 13 years ago
Crash [@ js::Shape::isNative]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla16
| Tracking | Status | |
|---|---|---|
| firefox14 | --- | unaffected |
| firefox15 | --- | unaffected |
| firefox16 | + | fixed |
| firefox-esr10 | - | unaffected |
People
(Reporter: decoder, Assigned: luke)
References
Details
(4 keywords, Whiteboard: js-triage-needed [advisory-tracking-])
Crash Data
Attachments
(1 file)
|
1.32 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
The following test crashes on mozilla-central revision cf4face65451 (options -m -n):
var N = 350;
var source = "".concat( repeat_str("}", N));
function repeat_str(str, repeat_count) {
gczeal(4);
function o() {}
function k() {
for (i += 0; i < this.depth; ++i) {}
}
for (var i = 0; function(){ }; i++)
(i) = {o: o, k: k};
}
GDB Crash trace:
Program received signal SIGSEGV, Segmentation fault.
0x0000000000405f05 in js::Shape::isNative (this=0x7ff8000000000000) at ../../jsscope.h:551
551 JS_ASSERT(!(flags & NON_NATIVE) == getObjectClass()->isNative());
(gdb) bt
#0 0x0000000000405f05 in js::Shape::isNative (this=0x7ff8000000000000) at ../../jsscope.h:551
#1 0x0000000000406fa2 in js::ObjectImpl::isNative (this=0x7ffff6105020) at ../../vm/ObjectImpl-inl.h:174
#2 0x000000000054bef6 in LookupPropertyWithFlagsInline (cx=0xc11f90, obj=..., id=..., flags=1, objp=0x7fffffffc670, propp=0x7fffffffc690) at /srv/repos/mozilla-central/js/src/jsobj.cpp:4684
#3 0x000000000054d1a3 in js_GetPropertyHelperInline (cx=0xc11f90, obj=..., receiver=..., id_=..., getHow=0, vp=0x7fffffffc960) at /srv/repos/mozilla-central/js/src/jsobj.cpp:5003
#4 0x000000000054d78a in js::GetPropertyHelper (cx=0xc11f90, obj=..., id=..., getHow=0, vp=0x7fffffffc960) at /srv/repos/mozilla-central/js/src/jsobj.cpp:5089
#5 0x000000000054d9fc in js::GetMethod (cx=0xc11f90, obj=..., id=..., getHow=0, vp=0x7fffffffc960) at /srv/repos/mozilla-central/js/src/jsobj.cpp:5136
#6 0x000000000054f266 in js::MaybeCallMethod (cx=0xc11f90, obj=..., id=..., vp=0x7fffffffc960) at /srv/repos/mozilla-central/js/src/jsobj.cpp:5551
#7 0x000000000054f74c in js::DefaultValue (cx=0xc11f90, obj=..., hint=JSTYPE_NUMBER, vp=0x7fffffffc960) at /srv/repos/mozilla-central/js/src/jsobj.cpp:5605
#8 0x0000000000429d4c in JSObject::defaultValue (this=0x7ffff6117040, cx=0xc11f90, hint=JSTYPE_NUMBER, vp=0x7fffffffc960) at ../jsobjinlines.h:68
#9 0x00000000005316af in js::ToPrimitive (cx=0xc11f90, preferredType=JSTYPE_NUMBER, vp=0x7fffffffc960) at ../jsobjinlines.h:1271
#10 0x0000000000534d69 in js::ToNumberSlow (cx=0xc11f90, v=..., out=0x7fffffffc9b8) at /srv/repos/mozilla-central/js/src/jsnum.cpp:1261
#11 0x0000000000503200 in js::ToNumber (cx=0xc11f90, vp=0x7ffff63fb160) at /srv/repos/mozilla-central/js/src/jsnum.h:133
#12 0x000000000081028a in js::mjit::stubs::Pos (f=...) at /srv/repos/mozilla-central/js/src/methodjit/StubCalls.cpp:1327
#13 0x00007ffff7f3d587 in ?? ()
#14 0x00007ffff7f3d773 in ?? ()
#15 0x0000000000000001 in ?? ()
#16 0x0000000000000000 in ?? ()
(gdb) x /i $pc
=> 0x405f05 <js::Shape::isNative() const+17>: movzbl 0x15(%rax),%eax
(gdb) info reg rax
rax 0x7ff8000000000000 9221120237041090560
Assuming s-s due to unsafe-looking crash with GC relation.
|
Assignee | |
Comment 2•13 years ago
|
||
The allocReg'd register may be clobbered by the igc write barrier.
Attachment #630819 -
Flags: review?(bhackett1024)
Comment on attachment 630819 [details] [diff] [review]
fix and test
Review of attachment 630819 [details] [diff] [review]:
-----------------------------------------------------------------
stealing r? at luke's request
Attachment #630819 -
Flags: review?(bhackett1024) → review+
|
|
Assignee | |
Comment 4•13 years ago
|
||
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla16
|
Reporter | |
Comment 5•13 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
|
Reporter | |
Updated•13 years ago
|
Status: RESOLVED → VERIFIED
|
|
Assignee | |
Comment 6•13 years ago
|
||
...and because I'm retarded, it's twin:
https://hg.mozilla.org/mozilla-central/rev/c29b842c4159
|
||
Comment 8•13 years ago
|
||
Is this a regression from something or do we need to fix ESR and Beta/Aurora, too?
No longer blocks: 762005
status-firefox16:
--- → fixed
tracking-firefox16:
--- → +
Keywords: sec-critical
|
|
||
Comment 9•13 years ago
|
||
Marking 10, 14, 15 as affected given this is believed to be a regression from bug 659577. Please correct that if wrong Luke.
status-firefox-esr10:
--- → affected
status-firefox14:
--- → affected
status-firefox15:
--- → affected
tracking-firefox-esr10:
--- → 16+
|
||
Comment 10•13 years ago
|
||
Are we ever going to fix this for ESR?
Whiteboard: js-triage-needed → js-triage-needed [advisory-tracking+]
|
|
||
Comment 11•13 years ago
|
||
Too late for 14 / 15.
As far as I can tell, comment 9 is incorrect and only 16 was affected: bug 659577 landed for 16 and was never taken on branches.
|
|
||
Comment 13•13 years ago
|
||
So the uplift happened before 06:30 that day?
As far as I can tell, bug 659577 missed the cutoff for 15. It was originally marked mozilla15 and then philor switched it to mozilla16. To be sure, I checked the mozilla-release repo and it does not contain the changes from that bug.
|
|
||
Comment 15•13 years ago
|
||
Looks like the uplift was Monday June 4, despite what https://wiki.mozilla.org/RapidRelease/Calendar would have us believe:
http://hg.mozilla.org/mozilla-central/rev/fe758ebc1707
|
|
||
Updated•13 years ago
|
Blocks: 659577
Keywords: regression
|
|
||
Comment 16•13 years ago
|
||
Looks good then. We never shipped this.
Whiteboard: js-triage-needed [advisory-tracking+] → js-triage-needed [advisory-tracking-]
|
||
Comment 17•13 years ago
|
||
Setting tracking-firefox-esr10 to "-" as esr10 is unaffected based on comment 12
|
|
||
Updated•13 years ago
|
Group: core-security
|
|
||
Updated•13 years ago
|
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•